UK Security guru lays into database vendors

Noted security researcher, David Litchfield, has again panned the state of database security, revealing another clutch of vulnerabilities in the software of a major vendor.

In his address at the Black Hat conference in Las Vegas this week, he released details of more than 20 holes that he and his researchers at UK-based NGS (Next Generation Security) Software, had uncovered in IBM’s Informix database family.

The wide-ranging flaws could allow an attacker to mount a denial-of-service attack, gain access to information, or simply compromise the integrity of the database itself. Versions 7.3, 9.4, and 10.0. are said to be affected.

Security website Secunia has since released more details of most of these vulnerabilities, which it rates as “moderately critical”.

"In my opinion, database security is riddled with holes and it's the biggest problem we face in IT today," Litchfield was reported to have said during the presentation.

"The database attacks are out there and these data breaches show it. They just aren't noticed at the time."

Related

Litchfield has excellent database flaw-finding credentials, having been responsible for finding a large number in the products of Oracle two years ago.

He subsequently pursued the company over the time it took to patch one of these holes, which Litchfield said was significant. He even went to the unusual lengths of releasing his own patch for the issue.

He remains angered by the time it takes database vendors to patch reported flaws, commenting on the number of issues that remained to be dealt with in the products of his favourite target, Oracle.